Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Prev Previous Post   Next Post Next
  #1  
Old 05-06-2008, 06:05 AM
sv1cec sv1cec is offline
 
Join Date: May 2004
Location: Athens, Greece
Posts: 2,091
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Help in securing vB 3.0.xx for the CSRF vulnerability

OK friends, here is the problem.

I have been using vB 3.0.xx in my site, for two simple reasons, (a) that I had no good reason to upgrade, 3.0.xx was covering my needs and (b) because my site is heavily hacked/improved with lots of modifications, some of them downloaded from here and some of them done by myself. When vB released 3.5, with the new coding conventions, I decided that the hassle was too much, and the benefits too little, so I stayed with 3.0.xx and have never regretted it.

All these years, I have been paying my vB license fees, for the simple reason that I was hoping that Jelsoft will have the decency to provide me with security updates/fixes. Remember that I am using the same major release as the current one, so I was under the impression that Jelsoft would at least make sure that my version is secure.

Enter the latest vulnerability announcement and Jelsoft position, that they do not offer any security fix for older releases. I find this absurd, but that's not the point here. The point is that I am forced to either upgrade to 3.7 and loose all my special code in my site, or to stay with a vulnerable version of vB.

I have been in touch with vB people and they do not recognize this problem, their position is that this vulnerability is not very serious and that they can't support previous releases (we are still at the same major release, mind you) and this is a security issue. I understand that they can't provide a patch for 3.0.xx, but what I was looking for, was at least some concise, concrete instructions on how to plug this hole in their software. Instead, they have send me a couple of files, which were supposed to help me patch my version (one is an explanation of how to patch 3.6.xx and the other is a diff file showing all differences between 3.6.9 and 3.6.10), unfortunately the code is in vB 3.6 not in vB 3.0. As a result these files are next to useless for me. For example, the code does not use md5 for the token, but sha1 or something, which I am not even sure it can be used in the php release I am using.

Implementing the fix on the end-user side is relatively easy, all one has to do, is to add the following line in the php files he wants to protect:

Code:
define('CSRF_PROTECTION', true);
and add this line in the templates which use POST to submit a form:

Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
My problem is how this "securitytoken" is generated and added in the $bbuserinfo array, and of course, where is the token checked, when submitted by a form which uses POST.

Can someone help on this? Can someone help me figure out the code which has to be added (in 3.0.xx coding standards) and where, in order to generate the token and check it?

As I explained upgrading will be a huge problem, due to all the different code I have implemented in my site (my users will go crazy, I am not even sure if the site can be upgraded with all the different columns I've added to tables etc), and keep using a vulnerable release is of course plain stupid, so all help on this will be appreciated.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:16 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03920 seconds
  • Memory Usage 2,563KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (2)bbcode_code
  • (3)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (8)post_thanks_box
  • (8)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (8)post_thanks_postbit_info
  • (8)postbit
  • (8)postbit_onlinestatus
  • (8)postbit_wrapper
  • (1)showthread_list
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_threadedmode.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids_threaded
  • showthread_threaded_construct_link
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete